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Contracts are a well-established approach for describing and analyzing behavioral aspects of web ser- 
vice compositions. The theory of contracts comes equipped with a notion of compatibility between 
clients and servers that ensures that every possible interaction between compatible clients and servers 
will complete successfully. It is generally agreed that real applications often require the ability of ex- 
posing just partial descriptions of their behaviors, which are usually known as abstract processes. We 
propose a formal characterization of abstraction as an extension of the usual symbolic bisimulation 
and we recover the notion of abstraction in the context of contracts. 

1 Introduction 

Service Oriented Computing is a paradigm that builds upon the notion of services as interoperable ele- 
ments that can be dynamically discovered through a public description of their interface, which includes 
their behavior or contract. Session types [ IQl |71 HI and contracts ifTTl IH |5l |2l provide a framework for 
checking whether a client is compliant with a service and whether a process can be "safely" replaced 
with another one. Both contracts and session types statically ensure the successful completion of every 
possible interaction between compatible clients and services. 

In a previous work fSl we have addressed an issue related to contracts by developing a formal the- 
ory of abstract processes in orchestration languages. An orchestrator describes the execution flow of a 
single party in a composite service. The execution of an orchestrator takes control of service invocation, 
handles service answers and data flow among the different parties in the composition. Since orchestra- 
tors are descriptions at implementation level and may contain sensitive information that should be kept 
private to each party, orchestration comes equipped with the notion of abstract process, which enables 
the interaction of parties while hiding private information. Essentially, abstract processes are partial de- 
scriptions intended to expose the protocols followed by the actual, concrete processes. Typically, abstract 
processes are used for slicing the interactions of a concrete process over a fixed set of ports. As a sample 
scenario, consider an organization that sells goods that are produced by another company. The process 
that handles order requests can be written as follows. 



The process Ci starts by accepting an order as a message on port order. Then, the received order is for- 
warded to the actual producer to obtain a quotation. Finally, the client request is answered by sending the 
production cost incremented by a 10%. An abstract process of C\ should at the same time hide the sen- 
sitive details of the organization and give enough information to the client for allowing interaction. For 
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instance, the following abstract process (where T stands for a silent, hidden action) shows the interaction 
of Ci with a client. 

Ac, order{desc).T.T. reply (cost) 

Another feature of abstract processes is to hide particular values and internal decisions made by concrete 
processes. Consider, e.g., the following process for authorizing loans. 

C2 — request{amount, salary). if {salary > amount / 50) then refuseQ else approved^} 

Suppose also that the bank does not want to publicly declare its policy, under which a loan is approved 
only when the requested amount is at most 50 times the solicitor's salary. This can be achieved by 
providing an abstract process where some values are opaque (noted with □), i.e., not specified. An 
abstract process of C2 can be as below. 



Ac, = request{amount, salary). If salary > □ then refuseQ else approvedQ 

Note that the conditional process in Acj has to be thought of as an internal, non-deterministic choice 
in which the bank may decide either to approve or to refuse the application. In other words, the client 
cannot infer from Acj the actual decision that the bank will take. In general, we require an abstraction 
to provide enough information to decide whether a client and a service are compliant, i.e., whether their 
interaction will allow them to complete their execution or not. 

In IS we have characterized the valid abstractions of a concrete orchestration and we have shown 
that valid abstractions preserve compliance. More precisely, we have formally defined suitable abstrac- 
tions of concrete processes as a relation among abstract and concrete processes, called simulation-based 
abstraction relation, which is an extension of the usual symbolic bisimulation [9, 1 1. 

A main goal of the present paper is to investigate the relation between simulation-based abstraction 
and contracts. In particular, we aim at recovering the notion of abstraction in the context of the theory 
of contracts developed in [5 1. Contracts are types describing the external, visible behavior of a service. 
Contracts come equipped with a notion of service compatibility that characterizes all the valid clients of 
a service, i.e., the clients that terminate any possible interaction with the service. In this sense, contracts 
can be used to statically ensure that the composition of two services is safe. Contract compatibility 
induces a preorder relation (-<) among contracts that characterizes the safely replacement of services. 
For instance, considering two contracts Oi and 02, if CJi -< G2 we know that any valid client of ai is 
also a valid client of (72, hence (7i can be substituted by 02 in any context. A contract for the service Ci 
corresponding to the selling company example introduced above can be written as follows. 



Oi = order. askProd.answProd. reply 

Note that 0\ describes the interactions of Ci with both the client and the producer. Hence, we would 
like to use the idea of abstraction in the context of contracts to obtain slices of the behaviour of a service 
and to reason about the interactions of a service with a particular partner, i.e., we would like to use 0\ to 
conclude that any client behaving as pi = order. reply is compliant with the role client of the service 0\. 

More in detail, given a contract a and a role, defined in terms of a set of visible actions V , the 
abstraction M/(a) of a can be thought as the contract that hides all the actions in a that do not appear 
in V . For instance, the abstraction of a\ for the role client will be as follows 



^{order,reply}{<^\) = Order. reply 
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Another key property of the abstraction type is to turn guarded choices into internal choices, if some 
guards are hidden. For instance, consider the process P = a{).c{) +b{).d{). The type of P is a = 
a.c + b.d. If we hide a, the abstraction type of a is 

, , - def _ — 

^{b,c4}{<^) = ceb.d 

The main technical contributions of this work are the following. Firstly, we define abstraction as a 
function £/v{-) over contracts and show that our definition behaves well with respect to safe replacement, 
i.e., £/v{g) can be substituted by M'(p) whenever a can be substituted by p. Technically speaking, this 
fact amounts to proving that a -< p implies £/v{(^) ^ s^vip), when taking -< as the strong subcontract 
preorder. 

Then, we show that contract abstraction can be used on top of contracts to reason about slices of a 
concrete service. That is, given a suitable type system for assigning contracts to concrete services, the 
type of a particular slice of a concrete service can be defined simply as the abstraction of the original 
contract. Formally, we show that any consistent type system enriched with a typing rule that assigns any 
slice of a concrete service with the corresponding contract abstraction is a consistent type system. This 
result allows us to use abstraction over contracts to reason about slices of a concrete service, e.g., we can 
use ■s^{order,repiy}{(^i) to safcly rcason about the interactions of Ci with a client. 

Finally, we show that contract abstraction matches simulation-based abstraction. Consider the simu- 
lation-based abstraction Q of P that characterizes a particular slice of P. Assume that Q has contract a 
and consider any compliant client C of 2 (namely, the type of C is compliant with a). Our results ensure 
that C is also compUant with the slice of P described by Q. 

2 Abstract processes 

In this section we recall the language of abstract processes proposed in f3\ along with a notion of ab- 
straction relation over processes, which is a generalisation of LJJ. First, we introduce the language of 
abstract processes, which is a version of value-passing CCS lfT2l with input guarded choices and con- 
ditional statements but without recursion plus the possibility of having opaque definitions. An opaque 
element is meant to hide the precise value of an element: for instance, an opaque assignment to a data 
variable hides the assigned value. We assume the set of data values to be finite so that the present version 
of the calculus can be encoded into the fragment without value-passing. We refer the interested reader to 
lfT2l for a more detailed treatment. 

Syntax We assume an infinite denumerable set of names ^ that is partitioned into a set of port names 
^ , a set of finite data variables Y, and a finite set of data constants 'lo. We write the special name □ to 
denote an opaque element, and we assume □ ^ . We let T] range over .yV U □, m, v, . . . range over Y , 
a,b,c,... range over 'tf U {□}, and x,y,z, ■ ■ ■ range over We let m,n, . . . range over Y Wtf L) {□}. 
We write fj for a tuple of names. Substitutions, ranged over by a, are partial maps from Y onto Y U 
U {□}. Domain and co-domain of a, noted dom{o) and cod{a), are defined as usual. By ma we 
denote o{m) if m G dom{o), and m otherwise. 

The set of abstract processes P is given by the following grammar: 

P ::= \ P\P \ X. P \ x{m). P \ xi{v i). P + ...+Xn{vn).P\±±rn = ri then P else P 

As usual, stands for the inert process, P | P for the parallel composition of processes, T.P for the process 
that performs a silent action and then behaves like P, x{m) .P for the process that sends the message 
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m over the port x and then becomes P. The process ;ci(v'i).Pi + . . . +;c„(v^).P„ denotes an external 
choice in which some process Xj{vi).Pi is chosen when the corresponding guard x;(v5) is enabled. The 
conditional process if m = « then P else P' behaves either as P if m and n are syntactically equivalent, 
or as P' otherwise. Opaque names can appear either as subjects of input and output prefixes, values of 
output prefixes, or parts of conditions in if _ then _ else _ processes, but not as a bound variables. 
A conditional statement becomes an internal choice when at least one value in the condition is opaque; 
similarly, a guarded choice becomes an internal choice when the subject of the input guard is the opaque 
name. 

We let P,Q,R... range over abstract processes and we simply write process to denote an abstract pro- 
cess. By concrete processes we denote processes not containing opaque names. Note that in xi {v'i ).Pi + 
. . . -j-Xn{v'n)-Pn, the data variables v, are bound, for all /. We use the standard notions of free and bound 
names of processes, noted respectively a.sJn{P) and bn{P), and a-conversion on bound names. We as- 
sume that the sets of free and bound names are disjoint and that the bound names of a process are all 
distinct from each other. As usual, a process P is closed if fh{P) CiY = ®. We also adopt the usual 
convention of omitting trailing O's. 

2.1 Symbolic semantics 

For the purpose of this paper we only recall the symbolic labeled transition relation over processes, while 
we report in Appendix |A] the non-symbolic semantics along with a proof that the two semantics are 
equivalent. 

We define structural congruence, =, as the least congruence over processes that is closed with respect 
to a-conversion and such that the set of process is a monoid with respect to parallel composition | (being 
the neutral element). 

We let symbolic actions X range over the silent move, input and free output and we let conditions M 
range over a language of Boolean formulas: 

A ::= T I xiy) \ x{m) M ::= true \ false \ m = n\ m^n \ M AM \ My M. 

As usual, for A / T, subj{X) and obj{X) denote the subject and the object of A respectively. The notions 
of free names ^(•), bound names bn{-), and a-conversion over actions and conditions are as expected, 
considering that the occurrences of the names v,'s are bound in x(v) and that conditions have no bound 
names. For X a process or an action, Xa denotes the expression obtained by replacing in X each data 
variable u £fn{X) with ua, possibly a-converting to avoid name capturing. By Ma we mean the condi- 
tion obtained by simultaneously replacing in M each data variable v G fn{M) with va. A condition M is 
ground if M does not contain data variables. The evaluation Ev{M) of a ground condition M into the set 
{true, false} is defined by extending in the expected homomorphical way the following clauses: 

Ev{true) = true Ev{a = a) = true Ev{a = b) = true if {a,b} Pi □ 7^ 

Evifalse) = false Ev{a = b) = false if a,Zj / □ Ev{a ^b) = true if n □ / 

A substitution a respects M, written a |= M, if Mo is ground and Ev{Mo) = true. A condition M is 
consistent if there is a substitution a such that o \= M. A condition M logically entails a condition N, 
written M ^ N, if, for every o, o \= M implies o \=N. For instance, v = a f\u ^ b f\v = u ^ a ^ b and 
true ^ u = a\l u ^ a. For X a symbolic action and a a substitution such that every data variable in X 
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(S-TAU) 



(S-OUT) 

x{m).P — --Ip 



(S-PAR) 



(S-STR) 



P^P' bn{X)r\fn{Q) = (b 

p\q"^p'\Q 
P^Q Q^Q' Q'^P' 
pHp' 



(S-IF) 



(S-ELSE) 



(S-IN) 

xi(vi).Pi + ...+x„(v„).P„ '-4P 

P — )• P m = nAM consistent 

ifm = n then P else 2 P' 

Q — )• Q mf=nAM consistent 
11 m = n then P else ^ Q 



(S-CHOICE-1) 

P^P' n£{m,n} 
if m = n then P else 2 — i P' 



(S-CHOICE-2) 

if m = « then P else 2 Q' 



(S-CHOICE-3) Xi(vi).Pi + . . . + n{vi).Pi + . . . +Xn{Vn).Pn^Pi 



Table 1 : Symbolic LTS for processes 



belongs to dom{o), we write A a to denote the following action: 



def 



T if A = T 

x{a\,. . . ,ak) if A = x(«i, . . . ,nif) and a,- = «;a for / = I,. . . ,k 
x{ai,...,ak) if A = x(vi, . . . , vj:) and a, = a(v,) for / = 1, . . . , A: 



By A = A' we denote the following condition: 

true if A = A' = T or A = A' = x{v) 



A =A' 



def 



m = n if A = x{m) and A' = x{n) 
false otherwise 



For M a condition and D = {Mi, . . . ,M„} a finite set of conditions, D is a M -decomposition if M 
Ml V . . . VM„. For instance, {m = a, m 7^ a} is a frwe-decomposition. 

The symbolic labeled transition relation ^ over abstract processes is the least relation satisfying 
the inference rules in Table [T] Intuitively, the condition M in the label M, A of a transition collects the 
Boolean constraints on the free data variables of the source process necessary for action A to take place. 
For instance, the rules for prefixes say that each prefix can be consumed unconditionally, while rules (S- 
IF) and (S-ELSE) make the equalities or inequalities of the conditional statements explicit. For instance, 
the process P = x{v) . if v = a then y{v) else 0, after a first step, can make a transition under condition 
that variable v is equal to a: 

„ trucxiv) I . „ v=a,y(v) „ 

P — if V = a then y{v) else i 
As another example, consider the process 7? = □(t).P+x(v2).Q. By rule (S-CHOlCE-3), a possible move 



for Rh R """^'"^^^^^ Q, where the input guard is executed. Another possibility is R ' 
an internal choice. 



P, where R makes 
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Non-symbolic semantics. The following definition corresponds to the original semantics proposed 
in ||3J. (Details are in Appendix [A]) 

Definition 1 (Non-symbolic semantics). Let P, Q and X be closed terms. P ^ Q iffP ——^ p\ (j ^ M, 
X = X'a and Q = P'o. 

2.2 Simulation-based abstraction 

Definition 2 (visible names). Given a set of visible names V and a symbolic action A, the set of visible 
received names ofX, written vn{X)v, is defined as follows: 

def I " if X = xiu) and X 
vn{A)v = \ 

I otherwise 

We will omit the subscript V when it is clear from the context. 

Definition 3 (simulation-based abstraction). The family = {^^m}m of process relations is a family of 
simulation-based abstraction relations, indexed over the set of conditions M, iff for all M and PM\Q: 

1. IfQ^Q' and bn{X) nfn{P,Q,M) = then there exists a M AN-decomposition D s.t. MM' G D 
there exists P ^ P', with M' ^N' AX\v=X' and P'^^?'"^^^e'- 

2. ifP^ P' and bn{X) r]fn{P, Q,M) =0 then there exists a M f\N -decomposition D s.t. VM' G D 
there exists Q^-^ Q' with M' N'^y A A = and P' Sf^^^^'^ Q' . 

A process P is a simulation-based abstraction of a process Q with respect to a set V CI jY , written P Q, 
if there is an abstraction relation s.t. P^^^rue Q> withfn{P) C V. 

Condition 1 above states that the abstraction P simulates the concrete process Q up to hidden names. 
Note that we require X\y = X' instead of the standard definition of symbolic bisimulation that imposes 
the exact matching of action labels. Condition 2 states that the (concrete) process Q can simulate its 
abstraction P if we forget about the constraints involving hidden values. That is, if P proposes a move 
with label {N,X) we allow Q to mimic the behavior for a more restrictive condition N'. (Actually, A^' 
may contain several additional constraints involving hidden names.) Note that this makes the abstraction 
relation not symmetric. For instance, consider the two processes below: 

P = if V = □ then y{v) else z{v) Q = if v = a then y{v) else z{v) . 

It holds that P 2 for V = {v, Indeed, when considering the transition P ""'^'^^V^ 0, we can take 
q V a,y{v'i Q gjjjj,g j^^^ =^ (v = a)\Y Ay{v) =y{v)\v Conversely, P Q' = If a = a theny(v) else y{v) 

true^z{v) M.z{v) 

because P — —-4 but Q' / > . We remark that the relation oc is a simulation (since the abstract process 
simulates the concrete one) but, in general, is not either a bisimulation or a similarity. 

3 Theory of contracts 

This section summarizes the basics about the theory of contracts proposed in Let ^ be a set of 

names, the set of contracts Z is given by the following grammar. 
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a ::= a \ a a G jV 

a ::= I a. a | a©a | a + a 

The contract describes a service that does not perform any action. The contract a. a stands for a 
service that is able to execute a and then continues as a. The contract a + p describes a service that lets 
the client decide whether to continue as a or as p , while a © p stands for a service that internally decides 
whether to continue as a or p. As usual, trailing O's are omitted. Contracts will be considered modulo 
associativity of each sum operator. We usually write summations ai + 02 + . . . + a„ and 0\®02® . . .®On 
respectively as I^re{i....,„}CJ,- and 0/ G {1, . . . ,?i}a,-. By convention, r,£0a,- = 0. 

In this paper we restrict our attention to finite contracts, although the presentation in f5l deals also 
with infinite contracts in the form of infinite trees that satisfy regularity and a contractivity condition. 

The operational semantics of contracts is given in terms of the LTS defined below. 

Definition 4 (Transition). Let o he the least relation such that: 

Q I 

15. a©pi-^ a + pi-^ 

(X 

The transition relation of contracts, noted h->, is the least relation satisfying the rules 

a , a I a I a, a, a , a , a, 

^ o p ^ p o ^ o p H/^ a H-> a p ^ p o ^ o p h/^ 

a.aH->a - „ - - „ - a ~, 

o + p^ o' ®p' a + pt->a' o®pi-^o' ®p' o®p^o' 
and closed under mirror cases for the external and internal choices. 

The operational semantics for contracts handles choices differently from the standard CCS transition 
system. Traditional CCS rules for a choice commits to the execution of a branch as soon as it performs 
the first action of the branch, e.g., a.b + a.c reduces to both b and c. Differently, the contract a.b + a.c 
has only the continuation b®c, i.e., the operational semantics does not provide any information about 
the actual choice that has been taken, in this way the environment is aware of the fact that the system will 
internally decide whether to behave as b or c. Consequently, for any action a and contract a there is at 
most one contract o' such that o A- a'. Let o ^ a', we write o{a) for the unique continuation of o 
after a (i.e., o{a) = o'). We use init(a) to denote the set of actions that can be immediately emitted 
by a, i.e., init(a) = {a | 3o's.t.o ^ o'}. 

Definition 5 (Ready sets). Let !^f(^jY U jV) be the set of finite parts of , called ready sets. Let 

also <J il-R be the least relation between contracts a € S and ready sets R in £Pf(^ U ryV) such that 

oil-R pil-S ail-R pil-R 

OJ|0 a.a4{a} 

a + pi\.RUS C7©pjj./? C7©pj|/? 

As usual we make a = a. For a given ready set R, co{R) stands for its complementary ready set, i.e., 
co{R) = {a \ a eR}. 



3.1 Compliance and subcontract relation 

Compliance formally states when the behavior of a client complies with the behavior of a service. It 
is assumed that the behavior of both the client and the service are described by contracts. There is a 
reserved special action e (for "end") that can occur in client contracts and that represents the ability of 
the client to successfully terminate. Compliance requires that, whenever no further interaction is possible 
between the client and the service, the client be in a state where this action is available. 

Definition 6 (Strong compliance). is a strong compliance relation if {p,a) G ^ implies that 
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1. p JJ- /? and a JJ- 5 implies either e £ R or co{R) n 5 7^ 0, and 

2. p ^ p' and O ^ o' implies {p' ,o') G ^. 

We use H to denote the largest strong compliance relation. 

Once the precise notion of compliance between clients and services has been established, the notion 
of strong subcontract is defined. A contract a is a strong subcontract of another contract p when all 
clients compliant with a are also compliant with p. This notion is coinductively defined as follows. 
Definition 7 (Strong subcontract). ^ is a strong subcontract relation if{(j,p) G y implies that 

1. p li- R implies that there exists 5 C /? such that o ^ S, and 

2. p ^ p' implies a A a' and (a',p') G 

We denote with C the largest strong subcontract relation. 

It has been shown in lillil that C is the must testing preorder as defined by 161 . 

3.2 Assigning contracts to ordinary processes 

Contracts are intended as types for describing the behavior of concrete implementations. It is assumed 
that the observable behavior of concrete implementations is described by a labeled transition so that 
P A- P' describes the evolution of a process P that performs an action ^ and then becomes P'. The 
performed action jj. can be either a visible action (e.g., an input a or an output a) or an internal, invisible 
action T that the process P executes autonomously. Then, it is assumed that clients and servers interact 
by synchronizing over complementary actions, as it is formally stated below. 

Definition 8 (Strong process compliance). Let P\\Q — P'\\Q' be the least relation defined by the rules: 
P^P' Q^Q' P^P' Q^Q' 

^lie^^lG ^iiG^^iie' ^112^^12' 

The reflexive and transitive closure of — is written =^; P\\Q — stands for P\\Q — P'\\Q' for some P' 
and Q'. We write P\\Q if not P\\Q — )•. A computation of P\\Q is maximal if either it is infinite or there 
exists P,i||2„ such that P\\Q =^ Pn\\Qn The client P is strongly compliant with the service Q, written 
P H 2, if for every configuration P, ||2, of every maximal computation there exists j > i such that either 
Pj A Pj+i for some a or Pj and Pj A. 

It is assumed that a type system is given to check that a process P implements the contract a. This is 
expressed by the judgment h P : a. 

Definition 9. A type system is consistent if, whenever \- P : <j, we have 

1. P ^ P' implies h P' : a' and a Q a'; 

2. P ^ P' implies h P' : o', O A, and a(a) C a'; 

3. P diverges implies o JJ- 0; 

4. P ^ implies o ^R and P C {a | P A}. 

For consistent type systems, the following Lemma has been proved. 
Lemma 1 (Subject reduction), //h P : p and \- Q : o and p H a and P||2 — > P'||2'. then \- P' : p' and 
hQ' :a' and p' H o'. 

It has been shown that consistent type systems are sound with respect to compliance, i.e., two pro- 
cesses are guaranteed to be compliant if their types are compliant, as formally stated by the following 
result. 

Theorem 1. If\- P : p and \- Q . o and p H a then P H g. 
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4 Abstraction for contracts 

We start by introducing a general definition of the notion of slicing or abstraction of concrete processes. 
We consider the language of concrete processes enriched with an operator that transforms any action 
over a hidden channel into an internal action. The abstraction operator is defined as follows 

^v[P] 

where V C ^ is the set of visible actions. 

The process [P] is a shce of P that behaves as P everytime P performs an action over a visible port, 
while it performs an internal action when the subject of the action executed by P is a hidden channel. 
Consequently, we assume that the labeled transition system for processes is extended with the following 
two rules 

P^P' aeV P^P' a<^V 
M' [P] A M' [P'] [P] A [P'] 

In addition, we define the effect of applying abstraction over a contract a that hides all actions 
of (7 that are not in V. 

Definition 10 (Contract abstraction). The abstraction s^y of a contract o, written J^v{<^)> is inductively 
defined as follows: 

M'(o) = 

^/v(a.cr) = a.i^vi'^) if a eV 

^v{cc-o) = .s^y(o) if a^V 

^vi^ieiOCi-Oi) = Ljejaj.S!/v{Oj)e>®keK-i^v{Ok) 

with J = {ie I\ai e V} and K = {i e /|a; ^ V} 

Previous rules state that applying abstraction to a contract is not just removing the hidden actions. 
In fact, the abstraction of a contract accounts for the fact that a concrete process may commit a choice 
when executing a hidden action. The most interesting rule is the one for external choices. Note that 
the abstraction for a = Li^cCi.Oi corresponds to a contract that internally chooses whether to execute 
an internal action, i.e., some ^ V, or to leave the chent to select one of the available visible actions 
Uj G V. 

Example 1. Consider the following variant of the service that handles loan requests described in the 
Introduction. In this variant, the service asks a third-party service for a recommendation based on client 
historical records. The third-party service responds back by sending either a positive or a negative 
feedback. A contract describing the behavior of the concrete service can be written as follows. 



G = request .askadvice .{negative .refused + positive .approved) 
The corresponding contract describing the interaction of the service with the client will be 



^{request,refused,approved}{(^) = request. {refused® approved) 

This abstraction states clearly that the loan service accepts a client request and then decides in- 
ternally whether to approve or to refuse it. The internal choice in the abstraction reflects the fact that 
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a service may commit a choice when it interacts over a hidden channel (e.g., it commits to refuse the 
request when it receives a negative feedback from the third party). 

The following three results state properties for contract abstraction that will be used for proving main 
results of the paper. The next proposition relates the ready sets of the abstraction .sifv{o) with the ready 
sets of a. 

Proposition 1. (a) JJ- 5 if and only if o ^ 0\... <^ On, tti , . . , a„ V and o,, JJ- S' with S' r\'V = S. 

Proof. =^) The proof follows by straightforward structural induction on o. ^) By induction on the 
length of the derivation. Base case follows by case analysis on the structure of a. Induction step follows 
by case analysis on the structure of a and inductive hypothesis. □ 

The following proposition characterizes the continuation .s/v{(y){a) of an abstraction. 
Proposition 2. =s/y (a) ^ p if and only ifa£V,p= ®pieAic{a,a,v)'^v{Pi) with 

Alc(a,a,y) = {a' \ a ai . . . a„ A a' and jSi, . . . ,/3„ ^ V} 7^ 0. 

Proof. =^) The proof follows by straightforward structural induction on a. By induction on the 
length of the derivation. Base case follows by case analysis on the structure of a. Induction step follows 
by case analysis on the structure of a and inductive hypothesis. □ 

The result below shows that abstraction preserves continuations under visible actions. 
Proposition 3. Let a M> and a £V. Then, s^yip) hh> i2^(a(a)). 

Proof. The proof follows by straightforward structural induction on a. □ 

The following proposition ensures that abstraction preserves subcontract relation or, in other words, 
states that if one contract can be safely replaced by another contract, then any possible slice of the original 
contract can be safely replaced by the corresponding slice of the new contract. 

Proposition 4. If o C p then si^yio) C M/(p)- 

Proof. The proof follows by showing that y = {(i2^V(o'),M'(p))|a C p} is a subcontract relation. Due 
to space limitation we omit details here. (We report proof in AppendixjB]). □ 

The following two propositions state properties about the continuations of contract abstractions. 
These two results are used in the proof of the main result of the following section (Proof details can 
be found in Appendix [B). 

Proposition 5. If a (a) Q p and a then £/v{o) C M/(p)- 

Proposition 6. lfo{a) C p and a G V then i</y(a)(a) C s^vip) 

Finally, we show how to extend a consistent type system in order to be able to type processes that 
use abstraction. This is achieved by extending any consistent type system for concrete processes with 
the following typing rule 

hP: a 

(TypeAbstraction) 

h .s/v[P] ■■ J2Af{0) 

Next result shows that the above rule preserves consistency. 
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Proposition 7. A consistent type system enriched with rule (TypeAbsTRACTION) results in another 
consistent type system. 

Proof. Let h P : a. As regards consistency condition (1), assume i2^[P] £/y[P'], then either P ^ P' 
or P A P' with a ^V. When P A P', consistency ensures that h P : a' and a Q o' . By Proposition |4] 
i2«y(a) C s^y{o'). If P P' then by consistency h P : cr' and a(a) C a'. By Proposition [sj ^/(/(a) C 
^((j'). As regards consistency condition (2), assume that P P' and a ^V. By consistency, h P : a', 
<T(a) C o'. By Proposition [6| ^2^1/ (a) (a) C £/y(o'). As regards consistency condition (3), assume that 
£/v [P] diverges. Then either P diverges or P has an infinite derivation P Pi . . . P„ . . . with 
a, = T or a, ^V. If P diverges, then P -IJ- 0. Therefore, £/v[P] JJ- 0- Otherwise, assume P has an infinite 
derivation P Pi . . . P„ . . . with a,- = T or a, V. By consistency, this implies that there exists 
an infinite derivation for the contract a i-^ Oi .. . i-^ P,, i ""^'> . . . but this is not possible, since we are 
considering finite contracts. Finally, as regards consistency condition (4), assume that £/v[P] Then, 
P and P H/^ for all a ^V. We derive a JJ- P where P C {a | P — >}. Moreover RCV since P h/^ 
for all a ^V.By proposition I] M/[P] J|P. Since, a G P implies a G V, P A imphes £/v[P] Hence, 
PC {a I ^t/[p] A}. □ 



5 Contracts for abstract processes 

In this section we aim at bridging the theories of processes and contracts presented in the previous 
sections. We remark that although the language of abstract processes is a kind of value-passing CCS, the 
remaining of this section will consider just finite domains for values, and hence we implicitly will refer 
to the usual encoding of value-passing CCS into CCS (i.e., we will refer a channel and a tuple of values 
just as a single action). Moreover, we say an action is a visible action if its subject is a visible name. 

We define a type system that assigns contracts to processes and we prove that the proposed type 
system is consistent according to Definition |9] We use judgments of the form h P : a. We report the 
typing rules in Table [2] (Rules are analogous to the type system for WS-BPEL proposed in (5]). The main 
idea behind the type system is that types can contain neither t's nor parallel composition, and that the type 
of a guarded choice must be an internal choice if its guards are t's. In this sense, rule (TAU) is as expected. 
On the other side, rule (PREF) allows recording in the contract any non-T prefix. Rules (SUM) and (PAR) 
are the most interesting and account for assigning to both external choice and parallel composition a 
contract that is a suitable internal choice. Specifically, the type of a choice is obtained as an internal 
choice between the branches with t's as prefixes and an external choice of visible prefixed branches. For 
instance, consider the process P = a.Pi + b.P2 + T.P3. It holds that h P : (a.ai + b.a2) © CJ3 for h Pi : ai , 
h P2 : 02, and h P3 : 03. Rule (PAR) exploits an idea that reminds the expansion lemma, namely the 
executions performed by a parallel composition P\Q are the sum of the executions of P | 2 and P| Qj, 
being Pi and Qj all the continuations of P and Q, respectively. Note that we do not consider the executions 
resulting from synchronizations of P and Q over complementary actions, as such synchronizations within 
the same orchestrator are not allowed. Akin to rule (SUM), the type of a parallel composition is the 
external choice of the non-T prefixed alternatives and the internal choice of the branches whose prefixes 

are t's. Note that rule (PAR) requires to consider all possible computations P — 4- P and Q — ^ Qj and, 
consequently, this rule is well-defined when we have a finite number of such computations. We remark 
that the language for concrete and abstract processes that we are considering ensures us that all processes 
are finitely branching, hence rule (PAR) is well-defined for our target language. 
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(Nil) h : 

hP: a 

(Tau) 



\-T.P:o 



(Pref) 



(Sum) 



(Par) 



h A.P: A.a 

A; / T hPi-. Gi h Qj : p^' 

^ Pi\Q ■ Oifor all P^Pj h P\Qj : pjfor all Q -% Qj 



(CONDl) 



(C0ND2) 



(C0ND3) 



hP\Q: {Lx.^,Xi.ai + ^.^rPj.Pj) e eA,=r (^i 9 

hP:a ^Q:p O € {m,n} 
\- ±f m = n then P else 2 : a © p 

h P : (7 n^jm,?!} m = n 

\- If m = n then P else 2 : a 

\~ Q '. p n\ ^ {m,n} m^n 

\- if m = n then P else 2 : p 



=TP7 



where: < 



P^Pi 



Table 2: Type System for Contracts 

As an example, \- {a + T:)\{b + c) : {a.ah+c + b.Oa+x+c.aa+T:)®<yh+c- Rules (CONDI), (cond2), and 
(C0ND3) concern the type of conditional statements. More in detail, rule (CONDl) applies if □ G {m, n}. 
In this case, the type of the if-then-else is the internal choice between the type of the two possible 
alternatives. Conversely, rules (C0ND2) and (C0ND3) state that m and n are both visible, then the type 
assigned is the type of the only possible branch. 

Theorem 2. The type system h P : a shown in Table^is consistent. 



Proof. The proof is by induction on the structure of P. See appendix [B] 



□ 



Next result states an auxiliary property that will be used when proving the main result of this section. 
It states that the reductions of an abstraction of a concrete process are in one-to-one correspondence with 
the visible reductions of the concrete process. 

Proposition 8. Let P and Q be two closed processes such that P Q. 
1. M/ [Q] A s^v [Q'] implies P P' and P' oc^ Q'. 



2. P P' implies s^viQ] 
Proof. See Appendix [B| 



r[Q'] andP'ocV q'_ 



□ 



M.G. Buscemi & H. Melgratti 



21 



The following result formalizes the relation among abstractions and strong compliance. It basically 
states that whenever a client P has a type that is compliant with the type of an abstract process Q which 
is an abstraction of a concrete process R, then P correctly interacts with the filtered process £/v [R] 

Theorem 3. LetP:a,Q:p and Q oc^ R. If o^p then P ^ M/ [R]. 

Proof. The proof follows the line of the proof of Theorem 4.5 in 15). Akin to f5l, we reserve a special 
action e (for "end") that can occur in client contracts and that represents the ability of the client to 
successfully terminate. Then we require that, whenever no further interaction is possible between the 
client and the service, the client be in a state where this action is available. 

First, we notice that, by Proposition [Sj any computation P||=e/v[/?] — )• has a corresponding 

computation P\\Q — )• /"'HQ' with Q' oc^ R' . Because of Lemmajl] we only need to consider maximal 
computations, i.e., cases in which -/^ or P\\£/v[R] diverges (equivalently, cases in which P||2 
or P\\Q diverges for Q oc^ R). Let P\\Q and assume, by contradiction, that P -/>■. From a H p we 
know that p IR implies /? 7^ (by Definition 6|l. From P\\Q , we have that whenever P — > we have 
Q -f> and hence j/v[7?] -/>. Consequently, {a P — >} n co{{a\Q — >}) = 0. From consistency condition 
(4) there exist R and S such that p ij- R and a ij- S and co{R) n 5 = and e ^ R, but this is absurd from 
the hypothesis that p H a. Hence P — >. Assume P\\Q diverges. First, note that P cannot diverge since 
consistency condition (3) requires that p -IJ- 0. Then, the only possibility is P and Q diverges. By 
consistency condition (3) we derive a JJ- 0, hence p -IJ- P implies e G P. From consistency condition (4) 
we conclude P A. □ 



6 Conclusions 

In this paper we have investigated the relation among the theory of contracts and the hiding of selected 
actions. We have shown that we can recover the notion of abstraction as a kind of filter over processes 
and we accommodate this notion into the theory of contracts for web services when considering finite 
contracts. We remark that the current definition for abstraction is not suitable for handling infinite con- 
tracts. In fact, it turns out that abstraction may not preserve the contractivity condition of contracts. In 
order to see this, consider the contract a = b + a.b + a.a.b + a.a.a.b + . . . +a.a.a . . . that accounts for an 
infinite execution of a's. Contract a can be written with the recursive expression rec x = a.x + b. Then, 
by taking the current definition of abstraction, j2/{^}((7) will be associated with the recursive equation 
rec X = x + b,for which contractivity does not hold. We left as future work the definition of abstraction 
for infinite contracts. 

Acknowledgements The authors thank anonymous reviewers for their helpful comments on an earlier 
version of this paper. 
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Xi{a} 



(TAU) T.P^P (OUT) x{df).P^P (IN) Xi{vi).Pi + ...+Xn{Vn).Pn ^ Pi{a/Vi} 



P' 



(IF) 



It a = a then P else Q^P 



P' 



(par) 



P\Q^P'\Q 



(CHOICE- 1) 



P^P' ne{m,n} 

a 7 

if m = « then P else P 



(else) 



Q^Q' a + . 



if a = Z7 then P else 2^2' 



(STR) 



P^Q Q^Q' Q'=P' 



P^P' 



(CHOICE-2) 



Q^Q' ne{m,n} 

a 7 

it m = n then P else 



(CHOICE-3) ^l(vi).A + . . . + □(V,-).P,- + . . . +Xn{Vn).Pn ^ Pi 
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A The non-symbolic semantics of orchestrators 

The original definition of the operational semantics of orchestrators as defined in |i3J is shown in Figure[T] 
Following result states the correspondence between the original semantics non-symbolic semantics 
and the one introduced in Definition [T] 

Theorem 4. Let P be a closed process. P P iffP ^ P . 

Proof. =^>) By Definition[l] P P' implies Q and a = Xa and P' = Qa with a |= M. The proof 
follows by straightforward rule induction on the derivaion of P Q. 
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- (s-TAu): P = z.Q, M = true, A = T. For any substitution a, we have that o \=M, a = Xo = 
true. Also, P closed implies Q closed, hence P = Qo = Q. By rule (TAU), P = r.Q ^ Q. 

- (S-OUT) and (S-CHOICE-3): these cases follow as for (S-TAU). 

- (S-IN): P = xi{vi).Pi + ... +Xn{vn).Pn, M = true, X = Xi{vi), Q = Pi. Since P is closed, 
fn{Q) C Vi. Then, for any a\=M,P' = Qo = PiO = PiO\y. and a = Xo = Xo\y.. By rule 

(IN)P ^ PiO\?_=P' 

- (S-PAR): P = Pi\P2, Pi ^ P[, Q = P[\P2. Since, a |= M, by Definition [l] Pi A P[o. By 

inductive hypothesis. Pi A P[o. By rule (PAR) Pi |P2 ^ P{a|P2. Since P is closed, also P2 is 

a 

closed. Hence, P2a = P2. Therefore, P1IP2 ^ Qo 

- (s-STR), (s-choice-1) and (s-choice-2): these cases follow analogously to (s-par). 

- (S-if): Since P is closed, the only possibility for m and n is to be the same constant. Hence, 

MX a 

P = if a = a then Pi else Q2, Pi Q. By inductive hypothesis, Pi ^ Qa. Then, by rule 
(IF), P >^ Qo. 

- (S-ELSE): This case is analogous to (S-IF). 

<;=) - (TAU): P = T.P', a = T. By (tau), P '-^^ P'. Since, P' is closed, P'a = P' for any a. 

P Ap'. 

- (out): This case follows as (tau). 

- (IN): P = ;ci(vi).Pi + . . . +x„{vn).P,„ a =x] {a) and P' = Pi{a/vi}. By rule (in), P ^"S^ P,-. 
Note that {a/vi} |= true. Then, by Definition[l| P A Pi{a/vi}. 

_ (IF): P = a a = a then Pi else P2, Pi ^ P'. By inductive hypothesis. Pi A P'. By 

definition, there exist M, Q, o and A s.t. a |= M, a = Aa, P' = Qo, Pi ^ Since M is 

consistent, M Aa = a is consistent. Then, by rule (S-IN), P = -)• Q. From a |= M, we 

have o\=MAa = a.By Definition[lj P A P'. 

- (ELSE):Analogous to (IF). 

- (PAR): P = P1IP2 with Pi >^ Pj' and P' = P[\P2. By inductive hypothesis. Pi A P(. By 
definition [l] Pi ^ Q and there exists a ^ M s.t. a = Xo and Pi = Qo. By rule (s- 
PAR), P1IP2 ^ 2IP2 (side condition holds because P2 is closed). By definition ll we have 
P1IP2 ^ iQ\P2)o. Since P2 is closed. P2a = P2 and, hence, (G|P2)a = P' 

- (STR),(CH0ICE- l),(CH0lCE-2) and (CHOlCE-3): Follows by using inductive hypothesis. 

□ 

Proposition 9. IfP ^ Q then 

• MM) <^fn{P). 

• MQ)^MP)^bniX). 

• M is consistent. 

Proof. It follows by straightforward rule induction. □ 
Proposition 10. IfP o^l, Q andjn{P, Q) r\fn{M) = then P oc^ Q. 
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Proof. We first fix the following notation: given a constraint M and a set of names S, we write M\S from 
M by removing all terms containing a name in S. If P Q then there exists a family of abstraction 
relations {^^^}n such that P^l^Q. We take the following family of relations where = 

with L = N\fn{M). We now show that this is a family of abstractions relations. 
Let P and Q such that P^/g: 

1. Assume Q' and bn{X) nfn{P,Q,L) = 0. Without loss of generality we can assume that 

bn{X) r\fn{P,Q,LUM) = (This can always be achieved by alpha-renaming bound names.)- We 
know that P^^Q with L = N\fri{M). Since is an abstraction relation, there exists a N ANi- 

decomposition D s.t. VMj G D there exists P P', with Mj ^ A^J, A|y = A' and /"^^^"''^'q'. 



By Proposition 



P-^P' imphesXA^I ) Qfn{P)- Since, fn{P) r\fn{M) = then^(A^( ) r\fn{M) 



for all A^(. Consequently, M\\jn{M) =^ N[ and \JiMi\jn{M) is a L-decomposition. 
2. if P — > P' , the proof follows as in the previous case. 



□ 



Proposition 11. If P{a/x} — i Q then there exist N, X' and Q' s.t. M = N{a/x}, X = X'{a/x} and 
Q = Q'{a/x]. 

Proof. The proof follows by straightforward rule induction. □ 
Proposition 12. Let P Q. For all a s.t. {a/x} |= M, P{a/x} oc^ Q{a/x}. 

Proof. We take the following family of relations {o5^/}l> where 

= {(pwx},ewx})|p<""e} 

We show that this is a family of abstractions relations. Assume that P{a/x}y^Q{a/x}: 

1. Assume Q{a/x} ^ Q' and bn{X) nfn{P,Q,N) = 0. By Proposition [u] g ^ go and Ni = 
No{a/x}, X = Xoia/x} and Q' = Qo{a/x}. Since P.^J^^^'^^Q, there is a M A A'o -decomposition 

D s.t. VM' e D there exists P ^ P^ with M' =^ N^, = A' and Po^J^y^^'^^^'^'eo. By def- 
inition, PQ{a/x}yJ^l^"''^^^''^''^Q{a/x}, From M' ^ A^o we have that M'{a/x} No{a/x}. Since 
D is a M A A'o -decomposition we have M ANo^ D and hence {M ANo){a/x} =^ D{a/x}. From 
{a/;c} |=M we have that MAA'^o{a/x} =^D{a/x}. Consequently, D{a/x} is the requested MA A^^i- 
decomposition. 



2. if P{a/x} ^ P'{a/;ic}, the proof follows as in the previous case. 



□ 



B Proofs of the results in Sections |4] and |5] 

Proof of Proposition [4j The proof follows by showing that ^ = {(i2/v(a),i24'(p))|<7 C p} is a sub- 
contract relation. 
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1 . Assume (p ) JJ. /?. By Proposition[l| we have that p pi . . . i-^ p„ and p„ JJ- R' with R'nV =R. 
Since o Q p, there exists a ^-k- Oi ... i— ^ a„ with a,- C p,- for / = l..n. hence, there exists S' C R' 
such that a„ 4 5". By Proposition [T| iz/y (a) JJ- S with 5 = 5" n V. Since 5" C R' we have that 

s = s'nv <^R'nv = R. 

2. Assume p p'. By Proposition |2j a G V and p' = 0p,eAic(p.a.y) -^(P!') with 

Alc(p,a, V) = {p' I p ^^ pi . . . ^^ p„ p' and j8i, . . . ,j8„ y}. 

Since (7 C p, for any p, in Alc(p, a,y) there exists a cr, s.t. (7; G Alc((7, a,y), i.e., cr Ti . . . 
T„ A a,-. By proposition a' = 0CT,eAic(t7.a.y) -^(^(f^,). It remains to show that (a',p') G J^. 
This is done by noting that a' = 0yM/(l';) © I' such that any Zj G Alc(a,a, V) and there is a 
corresponding pj in Alc(p,a,y) and C py. Note that it can be easily proved that Gi Q pi and 
0'2 E P2 implies ai ® 02 E Pi ©P2- Consequently, 0yTy □ ®jPj- We can easily also prove that 
ai © 02 E Ci for all Oi , 02- Hence, 0y Ty © t □ 0^. py, and finally, (a', p') G ^ by definition of 



Proof of Proposition |5} The proof follows by showing that =3^ = { (M' (f) , i2^^v (p ) ) | a (7) C p and a G 
V} is a subcontract relation. 

1 . Assume (p ) JJ- /?. By Proposition[l] we have that p 1^ pi . . . 1-^ p„ and p„ JJ. 7?' with R!r\V =R. 
Since 0(7) C p, there exists 0(7) 1-^ 0\... 1^ a„ with a, C p, for / = \..n. Consequently, a 
a(a) ai . . . 1^ a„ with a, C p,-. Hence, there exist S C /?' such that (7„ JJ- S'. By proposition [I] 
M'(a) J| 5 with S = S'r\V. Since 5' C /?' we have that 5 = 5' n V C 7?' n V = /?. 

2. Assume p A p'. By Proposition |2j a G V and p' = 0p,eAic(p.a.y) -^(P!') with 

Alc(p,a,y) = {p' I p^^pl...^^p„ Ap' andj3i,...,j3„ 

Since 0(7) C p, for any p,- in Alc(p,a, V) there exists a a,- s.t. a,- G Alc(a(a), a,y), i.e., o{y) ^ 

Ti ... T„ HH> a;. Note that a, G Alc(a(7),a,y) implies a, G Alc(a,a,y). By proposition [2] 
o' = 0cy;eAic{cT a y) It remains to show that (a',p') G --9^. This is done by noting that o' = 

0y=e/v(Ty) © T such that any Ty G Alc(a,a, V) and there is a corresponding py in Alc(p,a,V) 
and Ty C Py. Note that it can be easily proved that 0\ Q pi and 02 E P2 implies ai © 02 E Pi © P2. 
Consequently, 0y Ty C 0y py. We can easily also prove that ai © (72 E CJi for all a\ , (72. Hence, 
0y Ty © T C 0yPy, and finally, (a',p') G ^ by definition of y 

Proof of Proposition [6} The proof follows by showing that 5^ = {{si/y{o){y),£^v{p))\(y{y) E p and 
7 G V} is a subcontract relation. 

1. Assume J2^(p) By Proposition[l] we have that p 1^ pi . . . 1-^ p„ and Pn^R' with/?'ny =R. 
Since 0(7) E p, there exists 0(7) 1-^ ai . . . 1^ a„ with a, E P; for / = \..n. Hence, there exist 
S' C R' such that a„ J| 5'. By proposition [T] j/v(a(7)) J| 5 with S = S' r\V. By Proposition |3j 
£^y{o){y) = M/(a(7)), hence M/(a)(7) J| 5 with 5 = 5' n V. Since S' C /?' we have that S = 
S'r\V (^R'r\V = R. 
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2. Assume p A p'. By Proposition |2j a £V and p' = ®p.eAic{p.a.v)-^v{Pi) with 
klc{p,a,V) = {p' I p^^pl...^^p„ Ap' andj3i,...,j3„ 
Since 0(7) C p, for any p, in Alc(p, a,y) there exists a a,- s.t. a,- G Alc(a(7),a, V), i.e., 0(7) 



Ti ... T„ a,-. By proposition 



= 00,eAic(a(7),ay)'5^v(a,). Moreover, M'(ct) ^ a', i.e. 



£/v{'^){y) = by Proposition [3] It remains to show that {a',p') G y. This case follows as for 
Proposition |5] 

Proof of Theorem |2j We prove by structural induction on P that all conditions in Definition |9] are sat- 
isfied. First of all, note that the language of orchestrators we rely on does not diverge, hence consistency 
condition (3) is trivially satisfied in all cases 

• P = 0: Conditions (1), (2) hold trivially since P has no reductions. As far as condition(4) is 
concerned, note that a = and a JJ- /? implies 7? = C A for any A. 

• P = A.P'. If A = T then P = zP'. The only possible type for P (derived by using rule (TAU)) is a 
with \- P' : a and clearly a Q a and therefore condition (1) holds. Moreover, conditions (2) and 
(4) trivially hold. Let A / T. Then, condition (1) trivially hold. As regards to condition (2), note 
that h P : a with a = X.a' and h P' : a'. Consequently, a(A) = a' and condition (2) holds. As 

condition (4) is concerned, note that P ii-R implies /? = {A} = {A \ P — >}. 

• P = EieiAi.Pi + EjgjT.Qj. From typing rule (SUM) we have that h P : a with a = Lii^jXj.ai © 
®jejPj- Condition (1): If P ^ P' then there exists some k ^ J such that P' = Qk and \- P' : Pk 
with h Qk : Pk- Note that a = p*: © T for some T. Consequently, o = Pk® T Q Pk = o' . Condition 

(2): If P — > P' with A / T, then there exists some k^I such that P' = /\ and A<: = A and h P' : Ok- 
Consequently, CJ(A) = a,t © ^ for some t. Hence, ct(A) Qo' . As far as condition (4) is concerned, 
note that P implies J = Q.Then a = r,e/A,-.(7; then a JJ- /? imphes R = {A;|/ G /} = {A \ P A}. 

• P = P1IP2. Condition (1), if P ^ P' then either A A P[ or P2 A P^. If A A Pf then a is an 
internal choice containing a subterm a' where h P(|P2 : Consequently, a' Q G. The case 

P2 P'2 is analogous. For condition (2), note that either Pi \ P[ or P2 A- and A 7^ T. The proof 
follows as for condition (1). As regards to condition (3), note that neither Pi — > nor Pi — >. Hence, 

a = i^^^^v^i-Oi + I-p^evPj-Pj) where P ^ Pi and Qj 

A 

Therefore a JJ- P implies P = {A |P — )■}. 

• P = if m = n then Pi else P2. There are two cases □ G {m,n} and □ {m,?i}. Assume □ G 
{m,n}. By rule (CONDl), a = ai © 02 with h Pi : ai and h P2 : 02- As far as condition (1) is 
concerned, P A P' when either Pi A P[ or P2 A P^. Let Pi A P( with h P( : o[ and ai C a[ by 
inductive hypothesis. Therefore, o = 0[ (B O2 Q o[. The case P2 A Pj follows analogously. For 
condition (2), the proof follows analogously to condition 1. In respect to condition (3), note that 
a JJ. P implies that either ai JJ- P or 02 4 R- By inductive hypothesis, we know that ai JJ- P implies 

P C {A|Pi A} and 02 J| P implies P C {A|P2 A}. Hence, P C {A|Pi A} U {A|P2 A}. It is easy 

A A A 

to see that P — > if and only if Pi — > or Pi — >. The cases for □ {m,n} follows analogously by 

noting that a is either Oi or 02 depending on whether m = « or m 7^ « hold. 
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Proof of Proposition [ij We only prove the first case above; the second case is similar. From Ay [Q] 
Ay[Q'] we have that Q Q' with j3|y = a, being p^y defined as the expected counterpart of X^y. By 

Definition [l] there exist M,X,R and a |= M such that R and Aa = j8 and Ra = Q'. P and Q 
are closed, hence bn{X) f\fn{P,Q,M) = 0. Since, P Q there exists a M-decomposition D such that 

VM' ^ D, P P" with M' =^ A^', A|v = X', and there exists some simulation-based abstraction relation 

such that P"^^™^^''R. Since a |= M and D is a M-decomposition, there exists at least one Mj G D 

such that a |= M, (and hence a |= A'^')- By Definitionjl] P ^ /'"a. There are two cases: 

• A' = T or A' = x{a}: In both cases, A and A' are closed. Hence, A' = A'p for any substitution p. 
Since, j8 = Aa = A, we have that a = P\y = X^y = A' = A'a . 

It remains to show that P"a oc^ Q' with Q' = Ra. Since bn{?i) = 0, we have P"^lj,R. Also 
note that R and P" are closed because Q and P are closed. Hence, 2' = Ra = R, P" = P"o and 

• A' = x{y): Since A' = A|y is an input action, we have that A is an input action and both A' and 
A have the same subject x that belongs to V . Consequently, X\y = A. Then, A' = A|y = A, and 
consequently A'a = Aa = j3. Since, jS is an input action whose subject is in V , j8|y = j8. Con- 
sequently, A'a = Aa = j3|y = a. It remains to show that P"o Q' with 2' = /?a. We know 



that P" M'^f^''"^^^ R. Since A is an input action vn/h(M') = 0, hence a ^ M'.^ Proposition 
P"o^%li,Ro. Since /""a and /?a are closed, P"o oc^ /?a holds by Proposition 
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